From c94ce49cd85fb326cd3236a7fda28f6b265d2136 Mon Sep 17 00:00:00 2001
From: joshvanl <me@joshvanl.dev>
Date: Tue, 19 May 2026 12:20:23 +0000
Subject: [PATCH 1/2] service-invocation: document hop-by-hop header stripping
 in v1.18

Cover dapr/dapr#9759. Before v1.18, Dapr forwarded hop-by-hop HTTP
headers (Connection, Keep-Alive, Proxy-Connection, Transfer-Encoding,
Upgrade, HTTP2-Settings, TE, Trailer, Proxy-Authorization) verbatim
when proxying service invocation, violating RFC 7230 6.1 and breaking
HTTP/2-upgrade-aware clients against HTTPS upstream servers.

From v1.18, those headers are stripped on both request and response
paths across every service invocation flavor (local, remote,
HTTPEndpoint, dapr-app-id header, direct URL). End-to-end headers
(Accept, Authorization, Content-Type, custom X-* headers) are
unaffected.

Signed-off-by: joshvanl <me@joshvanl.dev>
---
 .../service-invocation/service-invocation-overview.md       | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-overview.md b/daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-overview.md
index 4f391c03e51..2d765d8654e 100644
--- a/daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-overview.md
+++ b/daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-overview.md
@@ -98,6 +98,12 @@ Self-hosted machines can use the mDNS name resolution component. As an alternati
 
 The Consul name resolution component is particularly suited to multi-machine deployments and can be used in any hosting environment, including Kubernetes, multiple VMs, or self-hosted.
 
+### Hop-by-hop header stripping
+
+When proxying HTTP service invocation, Dapr removes the standard hop-by-hop headers defined in [RFC 7230 Section 6.1](https://datatracker.ietf.org/doc/html/rfc7230#section-6.1) before forwarding the request to the upstream application or [HTTPEndpoint]({{% ref "httpendpoints-overview.md" %}}), and again before forwarding the upstream's response back to the caller. These headers are: `Connection`, `Keep-Alive`, `Proxy-Connection`, `Transfer-Encoding`, `Upgrade`, `HTTP2-Settings`, `TE`, `Trailer`, and `Proxy-Authorization`.
+
+End-to-end headers (`Accept`, `Authorization`, `Content-Type`, custom `X-*` headers, etc.) are not affected and continue to be forwarded unchanged.
+
 ### Streaming for HTTP service invocation
 
 You can handle data as a stream in HTTP service invocation. This can offer improvements in performance and memory utilization when using Dapr to invoke another service using HTTP with large request or response bodies.

From 0c674fc0ffa444688bc9dfeba921156aaa6dc73f Mon Sep 17 00:00:00 2001
From: Marc Duiker <marcduiker@users.noreply.github.com>
Date: Wed, 20 May 2026 12:57:46 +0200
Subject: [PATCH 2/2] Update
 daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-overview.md

Signed-off-by: Marc Duiker <marcduiker@users.noreply.github.com>
---
 .../service-invocation/service-invocation-overview.md           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-overview.md b/daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-overview.md
index 2d765d8654e..fa4ec0048b7 100644
--- a/daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-overview.md
+++ b/daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-overview.md
@@ -100,7 +100,7 @@ The Consul name resolution component is particularly suited to multi-machine dep
 
 ### Hop-by-hop header stripping
 
-When proxying HTTP service invocation, Dapr removes the standard hop-by-hop headers defined in [RFC 7230 Section 6.1](https://datatracker.ietf.org/doc/html/rfc7230#section-6.1) before forwarding the request to the upstream application or [HTTPEndpoint]({{% ref "httpendpoints-overview.md" %}}), and again before forwarding the upstream's response back to the caller. These headers are: `Connection`, `Keep-Alive`, `Proxy-Connection`, `Transfer-Encoding`, `Upgrade`, `HTTP2-Settings`, `TE`, `Trailer`, and `Proxy-Authorization`.
+When proxying HTTP service invocation, Dapr removes the standard hop-by-hop headers defined in [RFC 7230 Section 6.1](https://datatracker.ietf.org/doc/html/rfc7230#section-6.1) before forwarding the request to the upstream application or [HTTPEndpoint]({{% ref "httpendpoints-schema.md" %}}), and again before forwarding the upstream's response back to the caller. These headers are: `Connection`, `Keep-Alive`, `Proxy-Connection`, `Transfer-Encoding`, `Upgrade`, `HTTP2-Settings`, `TE`, `Trailer`, and `Proxy-Authorization`.
 
 End-to-end headers (`Accept`, `Authorization`, `Content-Type`, custom `X-*` headers, etc.) are not affected and continue to be forwarded unchanged.